SmartHawk

4.2

中危

56 个模型检测该样本为恶意！

重新分析

下载样本

053f8d5670c666f54c76fc8f3273ed916b1c323bc1a6c71a13f9f02a4746a061

a7c930732560445a040bf5534d87013e.exe

分析耗时

73s

最近分析

文件大小

1.0MB

静态报毒动态报毒 100% AI SCORE=89 AIDETECTVM ALJFNKVNFTI BH1@AUX4WEOI CLASSIC CONFIDENCE CRIDEX EHLS ENCPK FHGPJ GENCIRC GENERICKDZ GENETIC GPAM GRAYWARE HEAO HIGH CONFIDENCE HLDLVE INJECT3 KRYPTIK LIMPOPO MALICIOUS PE MALWARE1 MALWARE@#3AJ8VA1IINZBX PINKSBOT QAKBOT QBOT R + MAL SCORE STATIC AI UNSAFE ZENPAK ZEXAF 更多

未检测暂无鹰眼引擎检测结果

查杀引擎	查杀结果	查杀时间	查杀版本
McAfee	W32/PinkSbot-GW!A7C930732560	20201211	6.0.6.653
Alibaba	Backdoor:Win32/QakBot.d6d7a89d	20190527	0.3.0.5
Tencent	Malware.Win32.Gencirc.10cdd647	20201211	1.0.0.1
Baidu		20190318	1.0.0.2
Kingsoft		20201211	2017.9.26.565
Avast	Win32:Trojan-gen	20201210	21.1.5827.0
CrowdStrike	win/malicious_confidence_100% (W)	20190702	1.0

Queries for the computername (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826879.2364 GetComputerNameW	computer_name: OSKAR-PC	success	1	0
1619826900.452751 GetComputerNameW	computer_name: OSKAR-PC	success	1	0

This executable is signed

The executable contains unknown PE section names indicative of a packer (could be a false positive) (4 个事件)

section	r2
section	r3
section	r33
section	r334

One or more processes crashed (2 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826901.093751 __exception__	stacktrace: a7c930732560445a040bf5534d87013e+0x3f07 @ 0x403f07 a7c930732560445a040bf5534d87013e+0x1b25 @ 0x401b25 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637624 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637684 registers.edx: 22104 registers.ebx: 1 registers.esi: 2908504 registers.ecx: 10 exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb exception.symbol: a7c930732560445a040bf5534d87013e+0x3449 exception.instruction: in eax, dx exception.module: a7c930732560445a040bf5534d87013e.exe exception.exception_code: 0xc0000096 exception.offset: 13385 exception.address: 0x403449	success	0	0
1619826901.093751 __exception__	stacktrace: a7c930732560445a040bf5534d87013e+0x3f10 @ 0x403f10 a7c930732560445a040bf5534d87013e+0x1b25 @ 0x401b25 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637628 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637684 registers.edx: 22104 registers.ebx: 1 registers.esi: 2908504 registers.ecx: 20 exception.instruction_r: ed 89 45 e4 5a 59 5b 58 83 4d fc ff eb 11 33 c0 exception.symbol: a7c930732560445a040bf5534d87013e+0x34e2 exception.instruction: in eax, dx exception.module: a7c930732560445a040bf5534d87013e.exe exception.exception_code: 0xc0000096 exception.offset: 13538 exception.address: 0x4034e2	success	0	0

Allocates read-write-execute memory (usually to unpack itself) (6 个事件)

Time & API	Arguments	Status
1619826878.9084 NtAllocateVirtualMemory	process_identifier: 368 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005b0000	success
1619826878.9244 NtAllocateVirtualMemory	process_identifier: 368 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x005f0000	success
1619826878.9244 NtProtectVirtualMemory	process_identifier: 368 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success
1619826900.390751 NtAllocateVirtualMemory	process_identifier: 340 region_size: 225280 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01ce0000	success
1619826900.390751 NtAllocateVirtualMemory	process_identifier: 340 region_size: 221184 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff allocation_type: 12288 (MEM_COMMIT\|MEM_RESERVE) base_address: 0x01d20000	success
1619826900.390751 NtProtectVirtualMemory	process_identifier: 340 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 0 length: 237568 protection: 64 (PAGE_EXECUTE_READWRITE) process_handle: 0xffffffff base_address: 0x00400000	success

A process created a hidden window (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826880.0024 CreateProcessInternalW	thread_identifier: 1380 thread_handle: 0x00000140 process_identifier: 340 current_directory: filepath: track: 1 command_line: C:\Users\Administrator.Oskar-PC\AppData\Local\Temp\a7c930732560445a040bf5534d87013e.exe /C filepath_r: stack_pivoted: 0 creation_flags: 134217728 (CREATE_NO_WINDOW) process_handle: 0x00000144 inherit_handles: 0	success	1	0

Searches running processes potentially to identify processes for sandbox evasion, code injection or memory dumping (46 个事件)

Time & API	Arguments	Status	Return
1619826879.2364 Process32FirstW	process_name: [System Process] snapshot_handle: 0x00000140 process_identifier: 0	success	1
1619826879.2674 Process32NextW	process_name: System snapshot_handle: 0x00000140 process_identifier: 4	success	1
1619826879.2834 Process32NextW	process_name: smss.exe snapshot_handle: 0x00000140 process_identifier: 276	success	1
1619826879.2994 Process32NextW	process_name: csrss.exe snapshot_handle: 0x00000140 process_identifier: 372	success	1
1619826879.3144 Process32NextW	process_name: csrss.exe snapshot_handle: 0x00000140 process_identifier: 424	success	1
1619826879.3304 Process32NextW	process_name: wininit.exe snapshot_handle: 0x00000140 process_identifier: 432	success	1
1619826879.3464 Process32NextW	process_name: services.exe snapshot_handle: 0x00000140 process_identifier: 476	success	1
1619826879.3614 Process32NextW	process_name: winlogon.exe snapshot_handle: 0x00000140 process_identifier: 508	success	1
1619826879.3774 Process32NextW	process_name: lsass.exe snapshot_handle: 0x00000140 process_identifier: 536	success	1
1619826879.3924 Process32NextW	process_name: lsm.exe snapshot_handle: 0x00000140 process_identifier: 544	success	1
1619826879.4084 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 656	success	1
1619826879.4244 Process32NextW	process_name: VBoxService.exe snapshot_handle: 0x00000140 process_identifier: 720	success	1
1619826879.4394 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 788	success	1
1619826879.4554 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 868	success	1
1619826879.4714 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 924	success	1
1619826879.4864 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 956	success	1
1619826879.5024 Process32NextW	process_name: audiodg.exe snapshot_handle: 0x00000140 process_identifier: 112	success	1
1619826879.5174 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 540	success	1
1619826879.5334 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 1080	success	1
1619826879.5494 Process32NextW	process_name: spoolsv.exe snapshot_handle: 0x00000140 process_identifier: 1260	success	1
1619826879.5644 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 1288	success	1
1619826879.5804 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000140 process_identifier: 1336	success	1
1619826879.5964 Process32NextW	process_name: dwm.exe snapshot_handle: 0x00000140 process_identifier: 1384	success	1
1619826879.6114 Process32NextW	process_name: explorer.exe snapshot_handle: 0x00000140 process_identifier: 1424	success	1
1619826879.6274 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 1592	success	1
1619826879.6424 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 1980	success	1
1619826879.6584 Process32NextW	process_name: taskeng.exe snapshot_handle: 0x00000140 process_identifier: 1240	success	1
1619826879.6744 Process32NextW	process_name: VBoxTray.exe snapshot_handle: 0x00000140 process_identifier: 2072	success	1
1619826879.6894 Process32NextW	process_name: SearchIndexer.exe snapshot_handle: 0x00000140 process_identifier: 2380	success	1
1619826879.7054 Process32NextW	process_name: wmpnetwk.exe snapshot_handle: 0x00000140 process_identifier: 2460	success	1
1619826879.7214 Process32NextW	process_name: WmiPrvSE.exe snapshot_handle: 0x00000140 process_identifier: 2672	success	1
1619826879.7364 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x00000140 process_identifier: 2744	success	1
1619826879.7524 Process32NextW	process_name: SearchFilterHost.exe snapshot_handle: 0x00000140 process_identifier: 2784	success	1
1619826879.7674 Process32NextW	process_name: svchost.exe snapshot_handle: 0x00000140 process_identifier: 2884	success	1
1619826879.7834 Process32NextW	process_name: SearchProtocolHost.exe snapshot_handle: 0x00000140 process_identifier: 2940	success	1
1619826879.7994 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000140 process_identifier: 2132	success	1
1619826879.8144 Process32NextW	process_name: pythonw.exe snapshot_handle: 0x00000140 process_identifier: 1376	success	1
1619826879.8304 Process32NextW	process_name: dllhost.exe snapshot_handle: 0x00000140 process_identifier: 3056	success	1
1619826879.8464 Process32NextW	process_name: taskhost.exe snapshot_handle: 0x00000140 process_identifier: 2856	success	1
1619826879.8614 Process32NextW	process_name: sdclt.exe snapshot_handle: 0x00000140 process_identifier: 2996	success	1
1619826879.8774 Process32NextW	process_name: wsqmcons.exe snapshot_handle: 0x00000140 process_identifier: 2424	success	1
1619826879.8924 Process32NextW	process_name: mobsync.exe snapshot_handle: 0x00000140 process_identifier: 3064	success	1
1619826879.9084 Process32NextW	process_name: a7c930732560445a040bf5534d87013e.exe snapshot_handle: 0x00000140 process_identifier: 368	success	1
1619826879.9244 Process32NextW	process_name: schtasks.exe snapshot_handle: 0x00000140 process_identifier: 1912	success	1
1619826879.9394 Process32NextW	process_name: conhost.exe snapshot_handle: 0x00000140 process_identifier: 2456	success	1
1619826901.077751 Process32NextW	process_name: a7c930732560445a040bf5534d87013e.exe snapshot_handle: 0x00000140 process_identifier: 340	success	1

Expresses interest in specific running processes (1 个事件)

process

vboxservice.exe

Detects VMWare through the in instruction feature (1 个事件)

Time & API	Arguments	Status	Return	Repeated
1619826901.093751 __exception__	stacktrace: a7c930732560445a040bf5534d87013e+0x3f07 @ 0x403f07 a7c930732560445a040bf5534d87013e+0x1b25 @ 0x401b25 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763533ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77d69ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77d69ea5 registers.esp: 1637624 registers.edi: 0 registers.eax: 1447909480 registers.ebp: 1637684 registers.edx: 22104 registers.ebx: 1 registers.esi: 2908504 registers.ecx: 10 exception.instruction_r: ed 89 5d e4 89 4d e0 5a 59 5b 58 83 4d fc ff eb exception.symbol: a7c930732560445a040bf5534d87013e+0x3449 exception.instruction: in eax, dx exception.module: a7c930732560445a040bf5534d87013e.exe exception.exception_code: 0xc0000096 exception.offset: 13385 exception.address: 0x403449	success	0	0

File has been identified by 56 AntiVirus engines on VirusTotal as malicious (50 out of 56 个事件)

Bkav	W32.AIDetectVM.malware1
Elastic	malicious (high confidence)
DrWeb	Trojan.Inject3.42195
MicroWorld-eScan	Trojan.GenericKDZ.67857
FireEye	Generic.mg.a7c930732560445a
McAfee	W32/PinkSbot-GW!A7C930732560
Cylance	Unsafe
VIPRE	Trojan.Win32.Generic!BT
Sangfor	Malware
K7AntiVirus	Trojan ( 00568e381 )
BitDefender	Trojan.GenericKDZ.67857
K7GW	Trojan ( 00568e381 )
Cybereason	malicious.b0dd5a
BitDefenderTheta	Gen:NN.ZexaF.34670.bH1@aux4wEoi
Cyren	W32/Trojan.GPAM-2373
Symantec	Trojan.Gen.MBT
APEX	Malicious
Paloalto	generic.ml
Kaspersky	HEUR:Trojan-Banker.Win32.Qbot.pef
Alibaba	Backdoor:Win32/QakBot.d6d7a89d
NANO-Antivirus	Trojan.Win32.Inject3.hldlve
Tencent	Malware.Win32.Gencirc.10cdd647
Ad-Aware	Trojan.GenericKDZ.67857
Sophos	Mal/Generic-R + Mal/EncPk-APV
Comodo	Malware@#3aj8va1iinzbx
F-Secure	Trojan.TR/Crypt.Agent.fhgpj
Zillya	Trojan.Kryptik.Win32.2044746
TrendMicro	Backdoor.Win32.QAKBOT.SME
McAfee-GW-Edition	W32/PinkSbot-GW!A7C930732560
Emsisoft	Trojan.GenericKDZ.67857 (B)
Ikarus	Trojan-Banker.QakBot
Jiangmin	Trojan.Zenpak.ccr
Avira	TR/Crypt.Agent.fhgpj
Antiy-AVL	GrayWare/Win32.Kryptik.ehls
Microsoft	Trojan:Win32/QakBot.GM!MTB
Gridinsoft	Trojan.Kryptik.dd!c
Arcabit	Trojan.Generic.D10911
ZoneAlarm	HEUR:Trojan-Banker.Win32.Qbot.pef
GData	Trojan.GenericKDZ.67857
Cynet	Malicious (score: 100)
Acronis	suspicious
VBA32	Malware-Cryptor.Limpopo
ALYac	Trojan.GenericKDZ.67857
MAX	malware (ai score=89)
Malwarebytes	Backdoor.Qbot
Panda	Trj/Genetic.gen
ESET-NOD32	a variant of Win32/Kryptik.HEAO
TrendMicro-HouseCall	Backdoor.Win32.QAKBOT.SME
Rising	Trojan.Kryptik!1.C745 (CLASSIC)
Yandex	Trojan.Kryptik!alJFNkvnftI